FR3042626A1 - METHOD AND SYSTEM FOR SECURE ACCESS AND DISCRIMINATION TO INTEGRATED CIRCUIT SERVICES BY DIVERSIFYING A SINGLE ROOT KEY - Google Patents

Abstract

To secure access to services offered in an integrated circuit, the invention provides for deriving a single root key by two successive derivation operations. One of the derivation operations derives the root key from a service identifier, in order to have several keys for a circuit, each of which is specific to a given service. For example, during the first diversification, the root key is diversified into an intermediate key from a unique information associated with a service to access and from a batch identifier consisting of a plurality of integrated circuits; and, during the second diversification, the intermediate key thus obtained is diversified into the personal key from a serial number of the integrated circuit. Authentication from the personal key thus obtained allows access to the desired service, for example to customize the integrated circuit during its production.

Description

FIELD OF THE INVENTION

The present invention relates to the field of electronic integrated circuits and more particularly to a method and a system for accessing services implemented in such integrated circuits.

BACKGROUND OF THE INVENTION

Electronic integrated circuits are nowadays implemented in many electronic devices. Particularly known are integrated circuits forming electronic chip chip card, memory cards, USB key, etc.

The manufacture of an integrated circuit is generally carried out in a first site or manufacturing unit (usually a factory) where the circuit is developed on a silicon wafer (or wafer). Then when it has to be personalized or pre-personalized, this operation is performed in a second site or personalization unit (or several other sites) where the integrated circuit thus developed is (pre) personalized by digital data with regard to the functions that he will have to fill.

In the rest of this document, the term "customization" will generally be understood as being that commonly used by those skilled in the microcircuit card industry, or as defined by W. Rankl and W. Effing in the document "Smart Card Handbook, Second Edition, Ed. John Wiley & Sons, Ltd" as follows: "The term personalization, in its broadest sense, means that card-specific or person-specific data has been entered into the map. This data can for example be a name, an address, but also keys associated with the card. The only thing that matters is that this data is specific to this card. "

By extension, the pre-customization of the integrated circuits consists of similar operations except that the data entered in these integrated circuits are common to a batch of integrated circuits or to a type of entity (for example, smart cards). This is for example program configuration data contained in a read-only memory ROM which aims to determine a behavior or operation common to all these integrated circuits of the same batch or the same type of entity.

For security reasons, the integrated circuits, when they leave manufacturing sites, must contain a transport key specific to each integrated circuit, to prevent unwanted access to memories, usually EEPROM ("Electrically-Erasable Programmable Read -Only Memorÿ 'or electrically erasable and programmable read-only memory), they contain.This transport key is then used during an authentication control prior to pre-customization or customization of the integrated circuit with access to these memories. transport can be seen as an authentication key.

An authentication key can also be used to access other services than those mentioned above, namely personalization services or pre-personalization of cards.

Patent FR 2 960 327 describes a method of accessing a service in an integrated circuit, which comprises: an authentication step, by an access device external to the integrated circuit, of said integrated circuit using a personal key of authentication inherent to said integrated circuit and stored in the integrated circuit, said personal authentication key being generated by a first diversification of a root key into an intermediate key, followed by a second diversification of the intermediate key into the personal key of authentication; then in the case of successful authentication, a service access step in the integrated circuit, including a personalization service of the integrated circuit.

In this document, the first diversification allows to generate an intermediate key common to a lot of cards, from an initial secret, the root key. The use of several intermediate keys in batches makes it possible to guarantee the independence of the production with respect to the batches: as the derivation operation is not invertible, the disclosure of an intermediate key or a key personal circuit does not compromise the secret from which it originates, namely the initial secret or the intermediate key common to a lot.

The second diversification makes it possible to generate the personal authentication key from an identifier specific to each circuit for a given lot. This two-step diversification scheme is illustrated in Figure 1.

SUMMARY OF THE INVENTION The approach proposed in document FR 2 960 327 does not take into account different levels of access that could be assigned to a plurality of services that a card or chip can offer over authentication.

The services can group various features or functions available in a card, including functions that are degraded relative to one another (additions of reading functions and / or writing in memory). For example, various personalization services may propose to act differently on the same personalization parameters (available memory size) or to act on distinct personalization parameters (authorization or not to write in certain parts of memory , etc.).

Using the personal authentication key obtained in the document FR 2 960 327 to access all the services does not appear secure, as it is conventionally sought to provide different access rights. The intuitive approach of providing a root key per service to derive a personal authentication key dedicated to said service for each card does not appear entirely satisfactory. This approach is illustrated schematically in Figure 2 for N services, and thus N key roots (initial secrets).

Indeed, the number of references to initial secrets that a hardware security module HSM (Hardware Security Modulated) for integrated circuits should manage then increases proportionally to the number of services offered, and therefore increases when new services are offered. This results in a management volume (key transfer, storage, access, ...) that can be important.

In order to improve this situation, the invention furthermore provides that the first or second diversification comprises a diversification operation of the root or intermediate key from a unique information associated with said service to be accessed.

Thus it is possible to use a single initial secret (root key) to result in a plurality of personal keys dedicated to a plurality of services within the same integrated circuit. The number of references to an initial secret can thus be controlled and reduced.

Correlatively, the invention also relates to a system for accessing a service in an integrated circuit, comprising an access device external to the integrated circuit, said access device comprising code instructions which, when executed by a processor cause the access device to perform the following steps: an authentication step of said integrated circuit using a personal authentication key specific to said integrated circuit and stored in the integrated circuit, said personal authentication key being generated by a first diversifying a root key into an intermediate key, followed by a second diversification of the intermediate key into the personal authentication key; in the case of successful authentication, a step of accessing the service in the integrated circuit; characterized in that the first or second diversification comprises a diversification operation of the root or intermediate key from a unique information associated with said service to access.

The system has advantages similar to those of the method mentioned above. In particular, the system may include means relating to the process characteristics set forth later.

Optional features of the method according to the invention are further defined in the dependent claims. The system according to the invention may also comprise means configured to implement these optional features.

In a main embodiment, the diversification operation from said unique information associated with said service to be accessed is included in the first diversification diversifying the root key into an intermediate key. This makes it possible to simply obtain intermediate keys dedicated to respective services, from a single initial secret.

Of course, a possible variant is that in which this diversification operation is carried out during the second diversification.

In a particular embodiment, the first diversification of the root key into the intermediate key further comprises an operation of diversification of the root key from a batch identifier consisting of a plurality of integrated circuits. Thus, an implementation of the invention makes it possible, by said first diversification, to obtain intermediate keys dedicated to several services, for the same set of cards. This arrangement is particularly suited to a batch integrated circuit production process, avoiding managing several initial secrets.

According to a particular characteristic, the batch identifier constitutes a first sub-part of a serial number of the integrated circuit. According to the choice of the first sub-part, this arrangement makes it possible to obtain operational intermediate keys for a subset of the integrated circuits manufactured. It is thus possible to match an intermediate key to a third party handling a subset of the integrated circuits manufactured for a given service. This third party thus has no knowledge of the root key and / or other intermediate keys that are operational for integrated circuits that it does not handle as well as the root key and / or other intermediate keys that are operational for d. 'other services.

According to this arrangement, said first sub-part of the serial number is common to a plurality of integrated circuits (forming the batch). It may for example include wafer batch number information or wafer number on which the integrated circuits are constructed. This is a lot of integrated circuits manufactured together.

The intermediate key generated corresponds to this batch of wafers or this particular wafer.

According to another particular characteristic, the second diversification diversifying the intermediate key into the personal key comprises an operation of diversification of said intermediate key from a second subpart, distinct from the first sub-part, of the circuit serial number. integrated.

In particular, said second sub-part of the serial number identifies the integrated circuit within the integrated circuit package identified by said first sub-part. It can for example be the position of the integrated circuit on a wafer or in a batch of wafers. One can thus, by diversification of a key, individualize the authentication key for each integrated circuit manufactured.

In particular, said first and second sub-parts of the serial number are complementary in said unique serial number, that is to say that they form together (in concatenation for example) the entire single serial number .

By applying these various features, a system according to the invention can thus be configured to, during the first diversification, diversify the root key into an intermediate key from said unique information associated with said service to access and from a batch identifier consisting of a plurality of integrated circuits; and for, during the second diversification, diversify the intermediate key thus obtained in the personal key from a serial number of the integrated circuit. Note that batch diversification can be made optional by considering a lot grouping all the integrated circuits considered.

In one embodiment, the unique serial number of the integrated circuit is stored in nonvolatile memory of the integrated circuit. This allows the diversification (s) within the integrated circuit.

In one embodiment, the second diversification of the intermediate key into the personal authentication key comprises a diversification operation of the intermediate key from a unique serial number (or unique identification data) of the integrated circuit.

In one embodiment, access to the service includes customizing the integrated circuit using data specific to said integrated circuit. A preferred application of the invention is thus the control of access to personalization or pre-personalization services for smart cards or the like.

In one embodiment, the method comprises a step of manufacturing the integrated circuit at a manufacturing site and a step of reception, by said manufacturing site, of the root key or of any associated intermediate key or keys. to services from the central site, and said manufacturing comprises a step of generating personal authentication keys associated with services in the integrated circuit, by diversification of said root key or of the intermediate key or keys using said steps of diversification and a step of recording said personal authentication keys in a non-volatile memory of said integrated circuit.

Thus, when leaving the manufacturing site, all integrated circuits contain their own authentication keys associated respectively with the services they offer).

In a variant, the method comprises a step of manufacturing the integrated circuit at a manufacturing site and a step of reception, by said manufacturing site, of the root key or of one or more intermediate keys possibly associated with services from the central site, and said manufacturing comprises a step of registering said root key or the intermediate key or keys possibly associated with services in a non-volatile memory of said integrated circuit.

This arrangement makes it possible to simplify the operations relating to secret keys made by the founder / manufacturer of integrated circuits, since he no longer has to generate the personal authentication keys specific to each circuit and each service and now only handles only key, the root key, for a greater or lesser number of integrated circuits manufactured simultaneously, and this regardless of the number of services offered.

The operational costs and the risks related to the handling of the secret keys are thus reduced for the founder.

According to one particular characteristic, the method comprises a step of generating, within the integrated circuit and in response to a first signal received by the integrated circuit, said personal authentication keys associated with the services that the integrated circuit proposes by diversifying the registered key (root or intermediates).

This diversification implements, of course if necessary, the two stages of diversification.

This internal generation also increases the confidentiality of personal authentication keys because their values are unknown to external bodies (newspaper, founder, etc.).

In particular, the method comprises the steps of: erasing the stored root key or intermediate keys from the non-volatile memory; and - registering said personal authentication keys (thus generated) in the nonvolatile memory of the integrated circuit (one per proposed service).

In particular, said erasure can be achieved by overwriting in memory the root key or the intermediate keys registered by the generated personal authentication keys.

The memorization of the authentication keys makes it possible to perform the authentication during access to a particular service, for example for a personalization mode, to the integrated circuit. The crash ensures that, in possession of this integrated circuit, an ill-intentioned person can not recover the root key or the intermediate keys for the purpose of malicious reuse.

In an embodiment already mentioned, the personal authentication keys are obtained by diversification of the root key from a unique serial number of the integrated circuit stored in said nonvolatile memory of the integrated circuit and of as many identifiers that services offered. Note that the registration of this serial number and service identifiers can take place at the manufacturing site, along with the registration of the root key.

Thus, the generation of personal authentication keys can be conducted autonomously by the integrated circuit itself, without requiring information from outside the integrated circuit.

The unique serial number of the integrated circuit may in particular comprise an identifier of a batch of silicon wafers or of a silicon wafer on which said integrated circuit is developed, and include an identification (an identifier or spatial coordinates) of said circuit. integrated within the said lot or slice.

In one embodiment of the invention, said first signal is a first analog signal for powering up the integrated circuit. This is usually the first test power-up by test equipment at the manufacturing site prior to delivery to a personalization site, to determine if the IC is operational or intended for scrap.

This provision makes it possible to generate the personal authentication keys before any intervention on the integrated circuit. Due to the presence of tests on the manufacturing site, this provision leads to the fact that integrated circuits, when delivered to personalize it, already contain their personal key (s) of transport, different for each integrated circuit and possibly for each proposed service. This prevents the knowledge of the root key is only likely to give access to all cards with this root key in common.

In a variant, said first signal is a first digital signal, that is to say containing digital information. This makes it possible to generate the personal authentication keys only when the digital processing means of the integrated circuit (the processor or microcontroller) are solicited. Generally, this first access by digital signal is made during the first attempt to personalize the integrated circuit.

Thus, in this configuration, the waiting times corresponding to the (sub) -diversification of the root key or intermediate keys to obtain the personal keys of authentication according to the proposed services are deported out of the manufacturing site. This avoids any waiting at this site.

In addition, since analog signal processing (manufacturing site) is shorter than that of digital signals (usually at the personalization site), this arrangement makes the generation of authentication keys virtually transparent with respect to processing of such a digital signal.

In particular, the first digital signal is a first command instruction, for example of the APDU type sent by the access device and for example during the first access attempt for customization of the integrated circuit. In particular, a control instruction has the function of executing an action on the integrated circuit, by calling a program (the operating system for example) already stored in the integrated circuit.

According to a particular characteristic, the method comprises, on reception of said first signal by the integrated circuit, a write step, in a programmable nonvolatile memory that only once (PROM_Programmable Read Only Memory or OTP _One Time Programmable), information indicating that a first signal has already been received.

Thanks to this information (for example a flag or any other binary indicator), the integrated circuit is aware, at a lower cost, of the already achieved realization of the diversification of the registered key to obtain its personal authentication key. The inclusion of this information in a programmable memory once only ensures, moreover, that no malicious action can lead to a new realization of the diversification of the key or keys recorded by the integrated circuit.

Thus, in this case, the method may comprise, upon reception of a signal (of the same nature as said first signal) and prior to triggering the generation of personal authentication keys, a step of determining the presence, in memory nonvolatile programmable once, information indicating that a first signal has already been received. Thus, the integrated circuit is able to effectively block a new generation of personal authentication keys if this has already been done.

According to a particular characteristic, said writing of the information that a first signal has already been received is subsequent to a step of recording the personal authentication keys in the nonvolatile memory of the integrated circuit. This arrangement protects the integrated circuit from certain problems that may result from the power failure of it before the end of the internal generation by diversification. Indeed, the information of a first access already made is thus stored in memory only when the personal authentication keys (one per service offered) have been generated.

Of course, variants may be provided, such as the registration of this information prior to generation by diversification.

According to another particular characteristic, said integrated circuit transmits, to an external device and subsequently to a step of recording the personal authentication keys in the nonvolatile memory of the integrated circuit, a response to said first signal. Of course, this external device is in particular that which generated said first signal to the attention of the integrated circuit. It may be in particular said access device when it is used, for example, to perform the very first customization of the integrated circuit.

This arrangement makes it possible to adjust the response according to the success or otherwise of the generation stage by diversification. Thus, a possible error can be raised to the external device to, for example, to put the integrated circuit scrapped.

In particular, said external device waits for a response to said first signal for at least 50 ms (milliseconds) before generating an error, in particular at least 100 ms, preferably at least 250 ms. Generation by diversification introduces additional processing delays compared to the processing of the first signals. This arrangement thus ensures that these generation delays are taken into account at the level of the test devices and / or customization of the integrated circuit.

In one embodiment, the same root or intermediate key is stored in a plurality of integrated circuits fabricated on the same silicon wafer at the manufacturing site. This arrangement allows the founder, manufacturer of integrated circuits, to handle only a small number of root / intermediate keys for all circuits of the same silicon wafer {\ η / 3ίβή or the same batch. Note that the same root / intermediate key can be used for an entire batch of silicon wafers.

Furthermore, the step of registering the root key or the intermediate key (s) in non-volatile memory may comprise a step of direct access to said non-volatile memory, that is to say without going through the processor or a conventional communication interface of the integrated circuit, and a step of writing said root key or the intermediate key or keys in the memory during this direct access. This direct access makes it possible to avoid the detection of an anomaly if the integrated circuit is powered up without holding the root key and means for detecting an anomaly on the secret keys equip this circuit.

In various aspects, the authentication step may comprise: an authentication of the integrated circuit by the access device; an authentication of the access device by the integrated circuit; or - a mutual authentication grouping the two aforementioned authentications.

Each authentication can be of the challenge-response type.

In particular, the method may comprise steps of customizing a plurality of integrated circuits at a distinct pre-personalization or personalization site, these personalization steps being preceded by authentications in which the serial number of a corresponding integrated circuit by sending a command to this integrated circuit, it diversifies said root key from the serial number obtained and an identifier of the desired customization service, and an authentication is carried out, preferably mutual, to from this root key ente the integrated circuit and a personalization device.

According to one characteristic of the invention, the method comprises mounting said integrated circuit in a card body according to the ISO 7816 standard. Of course, the integrated circuit can also be mounted on a non-contact device module conforming to the ISO standard. 14443.

Devices conforming to one of these standards may in particular take the form of an ID1 format card, a biometric passport, a USB key, a microSD type storage memory, etc.

According to another characteristic of the invention, said diversification of the root key implements a hash function, for example SHA-256 ("Secure Hash Algorithm" producing a result or hash on 256 bits).

According to another characteristic of the invention, said integrated circuit comprises, in memory, said personal authentication key, and said authentication step implements a symmetric key cryptographic algorithm. Of course, the implementation of asymmetric key cryptographic algorithms can be envisaged.

According to another characteristic of the invention, said method is implemented during a personalization operation of said printed circuit.

The diversification of the root key to obtain the personal authentication key includes, according to the provisions of the invention, the first and second diversifications.

BRIEF DESCRIPTION OF THE FIGURES Other features and advantages of the invention will become apparent in the description below, illustrated by the accompanying drawings, in which: FIG. 1 schematically illustrates a key diversification scheme for integrated circuits, according to the state of the art; FIG. 2 schematically illustrates a hypothetical scheme for diversification of keys for unsatisfactory integrated circuits; FIG. 3 represents a production system embodying the present invention according to a first embodiment; FIG. 4 diagrammatically illustrates an integrated circuit in a smart card at a first moment of production in the system of FIG. 3, in particular before the generation, within the integrated circuit, of a personal key for transport or authentication. ; FIG. 5 represents, in the form of a logic diagram, steps for producing smart cards or integrated circuits according to the first embodiment of FIG. 3; FIG. 6 schematically illustrates a diversification scheme according to the invention, deriving a single root key from service identifiers proposed by an integrated circuit; FIG. 7 diagrammatically illustrates the application of this diversification scheme to a plurality of services and a plurality of integrated circuits; - Figure 8 schematically illustrates the integrated circuit of Figure 4 at a second production time in the system of Figure 3, in particular after the generation, within the integrated circuit, of a personal key transport or authentication; FIG. 9 represents a production system embodying the present invention according to a second embodiment; and FIG. 10 represents, in the form of a logic diagram, steps for producing smart cards or integrated circuits according to the second embodiment of FIG. 9.

DETAILED DESCRIPTION OF EMBODIMENTS OF THE INVENTION

Figure 3 shows the different stakeholders in a process of producing an electronic chip card from an integrated circuit.

As shown diagrammatically in FIG. 4, a chip card CP generally comprises a plastic card body CO receiving a module constructed from an integrated circuit Cl 10. The latter comprises a processor or microcontroller 11, as well as a non-volatile memory rewritable 12, a volatile memory type RAM 13, a non-volatile memory ROM ROM 14 and a communication interface 19 for exchanging data between the processor and the outside of the smart card and also to supply electrically the smart card, for example electrical contacts according to ISO / IEC 7816 or contactless interface according to ISO / IEC 14443.

The memories and the communication interface are managed and accessible by the microcontroller (read and / or write as appropriate).

The smart card can offer various features or services accessible on authentication. Each feature or service can be identified by unique IDserv ID information. Note that a null IDserv identifier can be assigned to a given service. Similarly, the absence of identifier may also designate a particular service. By way of example, two different functionalities may concern two personalization services of the smart card that are distinguished by different rights (authorization to access certain memory zones or not, possibility of modifying certain parameters or not, setting values available different, etc.). Typically, an administrator customization service can offer a wide range of smart card personalization options, whereas a client personalization service can be a degraded personalization service, that is, with fewer customization options.

Returning to FIG. 3, a client 100, for example a chip card manufacturer, uses a manufacturer 200 (or founder) of integrated circuits and a company 300 of (pre) customization of integrated circuits according to desired features in the smart card.

The manufacturing site 200 is a highly secure environment, from a physical point of view as well as a computer, in order to guarantee an integrated manufacturing of integrated circuits 10 from silicon wafers 1 or wafers.

At the prime contractor level, a hardware security module (HSM) 110 for integrated circuits is provided for generating secret manufacturer keys MSK ("Manufacturer Secret Keÿ"), hereinafter referred to as root keys or These root keys can then be transmitted to the manufacturing site 200 by secure access, for example via the secure Internet In accordance with embodiments of the invention, one or more intermediate keys MSKL are derived each root key, in particular according to the services available in the cards, and it is these MSKL intermediate keys that are transmitted to the site (pre) personalization 300 by secure access, for example via the secure Internet.

At the foundry 200, an HSM hardware security module 210 is also present to receive these MSK root keys and communicate them securely to the rest of the production line.

The latter comprises a control and programming module 220 of the integrated circuits and a programming head 230 of the integrated circuits 10. As will be seen later, this programming head 230 also comprises feed means (not shown) of the integrated circuits 10 during an initial test.

Of course the manufacturing operations and (pre) personalization can be conducted by the same company, the manufacturing units and (pre) customization can be in the same plant but in two separate operational areas.

For the remainder of the description, the customization of the integrated circuits 10 will mainly be described. The invention however applies to other operations, for example those of pre-personalization.

FIG. 5 illustrates steps of production of a smart card CP according to a first embodiment.

During an initial step E0, the melter 200 conducts the hardware manufacturing of integrated circuits 10, and therefore of the various components listed above in connection with FIG. 4. In particular, the design of the various layers of the integrated circuit produces the non-volatile memory non-rewritable (ROM) 14 to include data representative of basic program instructions for the operation of the integrated circuit, for example a boot program and a suitable operating system OS to treat APDU commands ("Application Protocol Data Unit" in English) as discussed later.

At the manufacturing site 200, the electronic integrated circuits 10 are developed on wafers 1 (step E0). Each wafer belongs to a lot of wafers numbered ID | 0t and includes an identification number IDwafer- Each integrated circuit realized on a wafer can also be identified by its position (Xcircuit, Ydrcuit) on a wafer or include a circuit number IDCircuit in the batch or on the wafer.

In a first step E1, at the smart card manufacturer 100, an MSK key is generated (the root MSK), for example on 8 or 16 bytes, by the HSM module 110. The step E1 is followed by a step ΕΓ during which the HSM module 110 also generates intermediate keys MSKL by a first step S1 for diversification of the root key MSK from: - for example the IDiot batch number of several circuits or IDwafer wafer number which is currently being built by the manufacturing site 200. This batch or wafer number can constitute a first sub-part of a unique identification data or unique serial number ID, of an integrated circuit 10, . This sub-part is particularly common to a set of integrated circuits (those of the same batch or the same wafer) and as such, the intermediate key MSKL is common to the same set of integrated circuits; and - unique IDserv information associated with one or more services offered by the card. Step E1 'thus makes it possible to generate several intermediate keys MSKL from a single reference (root key) in the HSM, such that each intermediate key is associated with a service offered by the card and is unique per service and per batch . By way of illustration, this first step S1 of diversification can implement a cryptographic hash function, for example SHA-256 which has the advantage of a fast execution and hardly detectable. Thus, from a 16-byte MSK root key, a batch number ID | 0t on 4 to 8 bytes for example and an IDserv service identifier on 1 to 4 bytes for example, which are simply concatenated at the input of the hash function, we obtain a 32-byte MSKL intermediate key: MSKL = SHA-256 (IDserv || IDlot || MSK).

Alternatively, one can use an encoding according to a symmetric algorithm, for example MSKL = AES (IDServ, ID | 0t, MSK).

The root key MSK is sent to the founder 200 and the intermediate keys MSKL are transmitted to the personalization site 300, respectively to the HSM modules 210 and 310, via the secure Internet, during the steps E2 and E2 '. At this stage, it is observed that the customization site 300 is not aware of the root key MSK, which increases the security of the protection of integrated circuits.

Once a wafer 1 of integrated circuits 10 has been developed, the programming module 220 controls, in step E4 ', the head 230 to write, in the non-volatile rewritable memory 12, for example type EEPROM, of each integrated circuit 10: the unique identification data ID of the integrated circuit, which may for example comprise all or part of the type of integrated circuit, an identifier of the site of manufacture IDsite, and identifiers ID | 0t, IDwafer and IDcircuit (or Xdrcuit, Ydrcuit); - the MSK root key.

FIG. 4 illustrates the state of the integrated circuit after this step, being noted that the IDserv identifier of each service is also known of the integrated circuit, in association with each proposed service.

Thus, the programming head 230 comprises means for direct access to the memory zone 12 for writing these various data, for example by direct contact on the physical terminals of the memory. The term "direct access" is understood here to mean that access is not made through the integrated circuit processor or through the normal interface of the integrated circuit (usually the electrical contacts according to the ISO / IEC standard 7816).

This direct access is useful when the operating system of the processor 11 includes means for detecting anomalies or attacks relating to secret keys, which is generally the case. Indeed, in this case, if the processor is powered up before the root key is stored in nonvolatile memory, an anomaly / attack is immediately detected due to the absence of the key, and this detection leads to put the integrated circuit out of service, while this is not the case.

It is therefore noted at this stage (step E4 ') that all the integrated circuits have in memory the same root key MSK. Thus, the founder 100 manipulates only this root key, without having to generate the personal keys of each of the integrated circuits or intermediate key MSKL.

Then in step E5, the founder 200 stores, in a log (digital file or "log"), the only unique ID identification data, associated circuits. This log is in particular stored in an encrypted manner at the level of the programming module 220 or, alternatively, in the HSM module 210. At the end of this step, the programming of the integrated circuits 10 has been performed. Optionally, it is planned to conduct a power test E6 'to verify the proper electrical operation of each circuit.

This test comprises step E60 during which a control module with a feed head (it can be the same module as the programming module 220 provided with its head 230) connects to the normal external electrical contacts of the communication interface and puts the integrated circuit 10, powered by applying a very first analog power supply signal.

This power up automatically triggers the execution (E61 '), by the processor 11, of a program for automatically generating one or more MSKD personal transport / authentication keys. According to the invention, each personal key MSKD, is dedicated to a particular service provided by the integrated circuit, that is to say that this personal key must be used to authenticate in order to access said associated service.

The generation calculation consists, for example, in diversifying the root key MSK in two successive diversification steps S1 and S2 from the unique serial number ID, and the service identifier IDserv, this information (root key, serial number and service identifiers) being stored in the non-volatile memory 12 accessed by the processor 11.

The first step S1 consists for example in obtaining an intermediate key MSKL for each service offered by the integrated circuit, from the root key MSK in memory and the service identifier IDserv, for example MSKL = SHA-256 (IDserv | IDiot || MSK). Then the second step S2 consists in diversifying each of these intermediate keys MSKL from the integrated circuit number IDcircui, (for example on 4 bytes) in the batch or on the wafer (or the coordinates Xdrcuit, Yoram). illustration, one can simply concatenate IDcircui, with each intermediate key MSKL and apply on this value obtained the hash function SHA-256: MSKDi = SHA-256 (IDcircui, || MSKL).

Thus, a plurality of personal authentication keys MSKD for the integrated circuit are obtained, each of these personal keys being dedicated to a particular service provided by the integrated circuit.

It can be noted that the use of a hash function such as SHA-256 has the advantage of simplifying the processing to form the input word of these functions: no truncation and only concatenations (here represented by the symbols "II") are useful, since a hash function can receive input data of variable length.

In addition, the SHA-256 hash function has the advantage of generating a 32-byte personal transport / authentication key, which corresponds to the size of a key for the AES algorithm that can be used for encryption. 'E13 authentication' described later. In particular, depending on the authentication algorithm, all or some of the bytes of the personal keys thus generated will be used: for an algorithm of the 3DES or AES-128 type, only the first 16 bytes of a personal key MSKD will be used. ; for an AES-192 type algorithm, only the first 24 bytes of a MSKD personal key will be used; and for an AES-256 type algorithm, the 32 bytes of a MSKD personal key will be used.

Figure 6 illustrates the dual diversification thus implemented by the presently described embodiments of the invention. From a single initial secret (MSK root key), the first diversification S1 makes it possible to obtain a plurality of intermediate keys for a batch, each intermediate key MSKLServ [in] being dedicated to a given service SERV [1-N] . Then the second diversification S2 allows to decline (derive) each of these intermediate keys into a personal key specific to the circuit T considered. Each personal key of the circuit T dedicated to SERV service is noted in the figure, MSKDiSERV.

The variation of this approach for a plurality of circuits is illustrated in FIG.

Following step E61 ', the processor records (E62'), in the non-volatile memory 12, the personal keys MSKD, thus generated, in association with the corresponding service and replacing the root key MSK. To avoid making the root key accessible to a malicious person, this operation is performed by overwriting the MSK root key with one (the first generated) new personal keys MSKD.

Then, the processor writes into a programmable nonvolatile memory only once (FIG. 8), also known as "PROM memory" _ Programmable Read Only Memory _ or "OTP memory" _ One Time Programmable _, a flag 150 (flag, for example a bit) indicating that the generation of the personal key (s) MSKD has already occurred (step E63 ').

The OTP memory 15 may, however, be a part of the ROM non-rewritable non-volatile memory 14.

Such an OTP memory 15, for example by irreversible fuse splicing, prevents any modification of the information 150 and thus guarantees a security as to whether the personal key (s) MSKD have indeed been generated.

The presence of this information in the OTP memory 15 is verified in particular every time the integrated circuit is powered up (for example at the beginning of the execution of the automatic key generation program) to determine whether it is the first turn on the circuit, in which case the generation of personal keys MSKD, must be performed as described above, or if it is a later power up, in which case the execution of the key generation program personal is blocked.

Thus flag 150 indicates that a first power-on signal has already been received.

In this embodiment, the step E63 'succeeds the generation step E61', thus securing the integrated circuit against problems that may arise from a possible power failure before the end of the diversification generation E61 '. Indeed, in this case it is not indicated, rightly, in the memory 15, that the personal key MSKD, has been generated. The next power-up E61 will then trigger this generation again.

Alternatively however, step E63 'may precede step E6T or be concomitant.

Then, according to the ISO / IEC 7816 standard, the circuit 10 then responds, at power-up, with an ATR message ("Answer To Resef") in step E65, in the context of the ISO / IEC 14443 standard. (contactless cards), this response takes the form of an ATS ('Answer To Select') message.

This order of steps makes it possible, if necessary, to indicate in the power-up response (ATR in the case of an integrated circuit provided for a contact device in accordance with ISO / IEC 7816 and ATS in the case of an integrated circuit provided for a contactless device in accordance with ISO / IEC 14443) that an error or anomaly has occurred in the generation of the personal key by diversification

Error detection means in the execution of a program of the smart card are then provided in the integrated circuit 10.

And the indication of an error or anomaly is thus detected during the test E8 to put the integrated circuit 10, discarded.

Indeed, if the integrated circuit returns an ATR message conforming to ISO 7816 and its content is correct, that is to say that expected by the control module (test E8), then this integrated circuit 10, is considered to be compliant (step E9).

Otherwise (for example if no response is received within a predefined time), the integrated circuit is considered faulty and discarded (step E10). On this occasion, the integrated circuit can be marked as faulty (in memory by the control module or an equivalent inscription in the log provided in step E5).

Alternatively, however, all or some of the steps E61 ', E62' and E63 'can be performed after step E65.

Due to the time required for the generation of the personal keys MSKDi in the integrated circuit 10, (taking between 50 and 500 ms, generally between 100 and 200 ms), the control module 220 is configured to wait long enough (predefined delay) when the E8 test to allow the complete generation of personal keys.

Thus, this control module is configured to wait for the ATR / ATS response at power-up, at least 50 ms (milliseconds) before generating an error, in particular at least 100 ms, and preferably at least 250 ms or even 500 ms. In most cases, the wait will not be longer than 1 second or 500 ms.

After the steps E8 and E9, the integrated circuits 10 leave the manufacturing site with, in memory, a unique identification data ID, and a transport / authentication key MSKD, specific to each integrated circuit and to each service. that he proposes. The integrated circuits are then delivered to the personalization site 300 (step E11), either as an entire wafer or already individualized by cutting the wafer 1. In step E12, the integrated circuits received are, if necessary, cut from the wafer. received, then for example mounted on a sticker to form a smart card module, and finally inserted into a CO card body complies with ISO 7816 so as to create a smart card.

Of course, the same method is implemented for the production of contactless cards ("contactless" or "eCover" - commercial name) by mounting the integrated circuits on contactless card modules, or for the production of other entities. portable or handheld devices, such as memory cards (SD or Flash) or USB sticks, by selecting the body of the entity to receive the integrated circuit.

FIG. 8 illustrates the state of the integrated circuit 10, at the time of delivery E11: the memory 12 comprises the personal keys MSKD, but no longer the root key MSK, and the memory OTP 15 comprises the flag 150.

Then follows the customization of the smart card and therefore the integrated circuit it contains, a module / personalization device 320, to meet the expected functions. According to the presently described embodiments of the invention, various intermediate or personal keys dedicated to so many services have been generated to enable secure (authentication) control of access to each of the various personalization services available (for example services more or less degraded).

The customization of the circuit using a SERVI service comprises, in step E13 ', an authentication between the smart card CP and an access and personalization device 310/320 having the intermediate key MSKL associated with the SERVI service.

The purpose of this authentication is, for example, to authorize or not the writing of the data in the non-volatile memory, type EEPROM, of the integrated circuit 10,. This writing is then restricted to the rights conferred by the SERVI service used. Of course, other functionalities / options than simple writing can be accessed by the implementation of the invention. The authentication is carried out in particular by communication with the integrated circuit 10, through the communication interface 14, for example through the electrical contacts according to the ISO 7816 standard. By way of non-limiting illustration, challenge algorithm authentication -response can be implemented to authenticate the CP card by the access device or personalization. A similar authentication of the access or personalization device by the CP card is also provided to obtain mutual authentication of the two entities. The authentication of the CP card by the access or personalization device may comprise: the sending of a first digital command authentication command APDU, by the access or personalization device to the card to personalize, communicating a challenge c (typically a random number) of adequate size to the integrated circuit 10, (step E130). The APDU command may in particular indicate the SERV service accessed. At this stage, this APDU command constitutes the very first digital signal generally received by the smart card manufactured; the calculation, by the integrated circuit 10, of the card, of a response res1 corresponding to an encryption of the challenge c by its own transport or authentication key MSKD associated with the SERV service accessed (for example by application of a symmetric DES or AES algorithm) (step E134); sending the response res1, accompanied by the unique identification data ID, from the card to the access or personalization device (step E135); the calculation, by the access or personalization device, of the response res2 supposed to be received by it, by first deriving the intermediate key for the accessed service, MSKLserv, owned (from step E2 ' ) using the unique identification data ID, also received corresponding to this card, to obtain the personal key MSKDi.ca, abutSERV: MSKDi-computedSERV = SHA-256 (IDserv || IDcircuit || MSKL) (step E136 '); then calculating res2 using this personal key, in a similar way to calculating res1 but this time using the key MSKDi.caiCU | eeSERV; and the comparison between the two values res1 and res2 to validate or not the authentication (step E137).

It can therefore be seen that the authentication can be performed without the personalization device 320 being aware of the MSK root key from which the personal keys MSKDIServ of the various integrated circuits flow. The authentication of the access or personalization device by the CP card is similar, by inverting the roles: the first APDU command enables the CP card to generate a random number c which is then communicated to the access or personalization device .

In the case of positive mutual authentication, the personalization E14 of the integrated circuit of the smart card CP is then performed by the personalization device, using the SERV service accessed. Otherwise the customization is not allowed.

Such customization may consist in storing software instructions in nonvolatile memory 12 of the integrated circuit so that the smart card offers functions (electronic purse, ticket, passport, etc.).

Moreover, an appropriate choice of criteria applied for each diversification step S1 or S2 makes it possible to obtain operational intermediate keys for a more or less limited number of integrated circuits, per service. In particular, each MSKL intermediate key supplied to 300 can only concern integrated circuits processed by 300, for example by delivering only the batches or wafers whose identifier ID | 0, or IDwafer was used for the generation ΕΓ of each of these intermediate keys. MSKL communicated.

Figures 9 and 10 illustrate a second embodiment of the invention, wherein the same references as those described above relate to the same elements or the same steps.

This embodiment differs from the first in that the generation of the personal keys MSKDIServ in the integrated circuits 10, is carried out on receipt of the first valid command by the integrated circuit 10 ,, that is to say on receipt of a digital signal, in our example the command APDU E130.

The programming module 220 inscribes (E4 ') still in nonvolatile memory 12 of the integrated circuit 10, the root key MSK, the service identifiers and the serial number ID.

Then, a simplified E6 power test is implemented, replacing the test E6 '. This test E6 includes the step E60 during which the control module with feed head (it can be the same module as the programming module 220 provided with its head 230) connects to the normal external electrical contacts of the communication interface and turns on the integrated circuit 10j by applying a first analog power supply signal.

According to the ISO / IEC 7816 standard, the circuit 10 then responds, at power-up, with an ATR message ("Answer To Resef") in step E65, in the context of the ISO / IEC 14443 standard (cards contactless), this response takes the form of an ATS ("Answer To Select") message.

At the time of delivery E11, the memory 12 then comprises the root key MSK and not the personal keys MSKDIServ, and does not include the flag 150 in the memory OPT 15 (Figure 6). The authentication E13 "differs in that on receipt E130 of the very first command APDU, the execution of the program for automatic generation of personal keys transport / authentication MSKDîSERV is triggered within the integrated circuit 10, for the set of services offered by the integrated circuit (E131 ").

Of course, other triggering criteria upon receipt of a "first" command may be implemented, such as for example the receipt of a first valid command likely to cause the execution of an action by the processor 11 , or a first order among a class of orders or from a predefined list of orders.

The steps E132 "and E133" are respectively similar to the steps E62 'and E63' described above, leading, upon receipt of a command, to check the presence or absence of the flag 150 in memory 15 before triggering the execution E131 "of the generation of personal keys MSKDîServ.

The following steps E134, E135, E136 ', E137 and E14 are unchanged allowing authentication and customization of the integrated circuit 10,. The state of this integrated circuit before the customization step E14 is identical to that shown in FIG. 8.

Similarly to the first embodiment, the order of the steps E131 ", E132", E133 "can be modified, it being understood that the step E135 provides, in the response, the value res1 computed from the personal key MSKDISERV associated with the service used, as generated in step E131 ".

In addition, during the authentication E13 ", the personalization device 320 is configured to wait for the time necessary for the integrated circuit 10 to generate the personal keys MSKDIServ, generally at least 50 ms, or even 100, 250 or 500 ms, before generating an error message or sending a new APDU command.

Note, however, that the waiting times of such devices 320 to commands is generally greater than that of the control module 220 mentioned above. For example, it is common for smart card readers to wait a second before considering that the requested operation is a failure.

Thus, this embodiment integrates particularly well with the current waiting times of integrated circuit or chip card reading devices. The generation of personal keys MSKDîSERV thus appears almost transparent with regard to the processing time of the numerical control.

Also, the response E135 can indicate any error or anomaly that occurred during the generation E131 "or the records E132" and E133 ".

Moreover, although in these exemplary embodiments, the first part IDiot (or IDWafer) of the serial number and the second part IDcircui, of this same serial number used for the generation in two successive stages of diversification of the personal keys are additional parts of the unique serial number: ID, = IDiot (or IDwafer) || IDcircuit, it may be expected that this is not the case, for example that these two parts are different but with a subpart in common (for example ID, 0t and IDwafer on one side, and IDwafer and IDcircuit on the other side).

In a variant of these two embodiments, the steps E2 and E2 'consist in sending, both to the customization site 300 and to the manufacturing site 200, the intermediate keys MSKL associated with various services, such as generated during the first time. 'step ΕΓ.

In this case, the step E4 'consists in registering the keys MSKL (for the services offered) in memory of the integrated circuits 10, and the steps E61' and E131 "consist in implementing only the second diversification operation, in our example: MSKDiSERV = SHA-256 (IDSErv II IDcircuit || MSKL).

FIGS. 4 and 8 also apply to this second embodiment, except that, in the state of FIG. 4, the memory 12 comprises the intermediate keys MSKLserv instead of the root key MSK.

Another variant of the invention consists in that the founder 100 itself calculates the personal keys MSKDjSERV (step E3) by diversification of the key MSK or intermediate keys MSKLSErv according to whether it has received one or the other. In general, the dual diversification of keys by service as proposed here allows the use of personal keys MSKDISERV in several ways.

If the user or operator wishing to access a service of the integrated circuit has only the reference to the initial secret MSK, he must apply the first diversification S1 using IDserv and ID | 0t in order to obtain the intermediate key MSKLserv specific to the desired service. Then he must apply the second diversification S2 to obtain the personal key MSKDîSERV of the circuit considered for the desired service. He can then perform the desired operation with this key dedicated to the desired service.

If the user or operator wishing to access a service of the integrated circuit only already has the intermediate key MSKLserv specific to the desired service (because of Figures 3 to 10), it must only apply the second diversification S2 to obtain the personal key MSKDIServ of the circuit considered for the desired service. He can then perform the desired operation with this key dedicated to the desired service.

Then, if the user or operator wishes to use another service, he must: either use the identifier IDsen, of the new service (in addition to the data ID | 0t of derivation) with the reference to the initial secret MSK; or use another intermediate key MSKLServ dedicated to the new service.

It can be seen that the solution proposed here by the invention leads to obtaining several personal keys MSKDjSERV from a single initial secret reference MSK. Knowledge of such a personal key MSKDjSERV does not compromise the original secret MSK or its own intermediate key MSKLSErv (because diversifications are not invertible), nor the other intermediate and personal keys associated with other services. Note that, although the description above envisages a diversification from the identifier IDserv during the first diversification S1, it can be envisaged to realize it during the second diversification S2.

The foregoing examples are only embodiments of the invention which is not limited thereto.

For example, although mention is made of two steps S1 and S2 constituting the diversification of the MSK root key, a greater number of steps can be provided, generating several successive intermediate keys for the same service. Such a case can for example be used, for a company to which a batch of wafers is delivered (first stage of diversification using ID | 0t to generate an intermediate key per service for the company) which are distributed over several sites. customization (second step of diversification using IDwafer to generate, from the intermediate key previously obtained, a new intermediate key by service and by site). Each site then performs authentication E13 'or E13 "using the intermediate key received for the service used.

Preferably, the diversification using the service identifier is performed from the first diversification of the successive diversification. Of course, it can alternatively intervene at a later stage.

In particular, the first diversification can be performed in the integrated circuit to receive the first power-up signal (step E6 ') and the second diversification also in the integrated circuit but on receiving the first digital signal (step E13 ").

Furthermore, the invention can be implemented in contexts of use different from the manufacturing context and (pre) customization of the integrated circuits as described above. For example, the root key can be stored in the volatile memory during the personalization operation of the CP card. It is then diversified into personal authentication keys for various services, from the first use in a user (detection of the first signal from a read / write device of a user).

Moreover, although the examples of diversification mentioned above implement a SHA-256 hashing operation, these diversifications can implement symmetric or asymmetric key cryptographic operations (AES, DES), either directly on all or part of the serial numbers ID ,, either on the result of the hashing operation (in this case we combine hash and cryptographic operation).

Claims (10)

A method of accessing a service (SERV) in an integrated circuit (10), comprising: an authentication step (E13 ', E13 "), by an external access device to the integrated circuit, of said integrated circuit using a personal authentication key (MSKDîSERV) specific to said integrated circuit and stored in the integrated circuit, said personal authentication key being generated by a first diversification (S1) of a root key (MSK) into an intermediate key ( MSKLServ)> followed by a second diversification (S2) of the intermediate key into the personal authentication key, in the case of successful authentication, an access step (E14) to the service in the integrated circuit, characterized in that the first or second diversification comprises a diversification operation of the root or intermediate key from a unique information (IDserv) associated with said service to be accessed. 2. The method of claim 1, wherein the diversification operation from said unique information associated with said service to be accessed is included in the first diversification diversifying the root key into an intermediate key. 3. The method according to claim 2, wherein the first diversification (S1) of the root key into the intermediate key further comprises an operation of diversification of the root key from a batch identifier (ID | 0t). consisting of a plurality of integrated circuits. 4. The method of claim 3, wherein the batch identifier is a first sub-part of a serial number of the integrated circuit (ID,). 5. Method according to claim 4, wherein the second diversification (S2) diversifying the intermediate key into the personal key comprises a diversification operation of said intermediate key from a second sub-part (IDcircuit), distinct from the first subpart, of the serial number of the integrated circuit. 6. The method of claim 4 or 5, wherein the unique serial number of the integrated circuit is stored in nonvolatile memory of the integrated circuit. The method of any one of claims 1 to 6, wherein the second diversification of the intermediate key into the personal authentication key comprises a diversification operation of the intermediate key from a unique serial number (ID ,, IDcircuit) of the integrated circuit. The method of any one of claims 1 to 7, wherein accessing the service comprises customizing the integrated circuit using data specific to said integrated circuit. A system for accessing a service in an integrated circuit, comprising an access device external to the integrated circuit, said access device comprising code instructions which when executed by a processor drive the access device performing the following steps: an authentication step of said integrated circuit using a personal authentication key specific to said integrated circuit and stored in the integrated circuit, said personal authentication key being generated by a first diversification of a root key in an intermediate key, followed by a second diversification of the intermediate key into the personal authentication key; in the case of successful authentication, a step of accessing the service in the integrated circuit; characterized in that the first or second diversification comprises a diversification operation of the root or intermediate key from a unique information associated with said service to access. 10. System according to claim 9, configured for, during the first diversification, diversify the root key into an intermediate key from said unique information associated with said service to access and from a batch identifier consisting of a plurality integrated circuits; and for, during the second diversification, diversify the intermediate key thus obtained in the personal key from a serial number of the integrated circuit.